Information security specialists from Microsoft have warned users about the attacks of a cryptocurrency miner called Dexphot, which has been attacking Windows computers since October last year. Peak malware activity was recorded in June of this year, when more than 80 computers worldwide were infected.
The report says that the malware uses various methods to bypass protection to penetrate victims' computers, including encryption, obfuscation, and the use of random filenames to mask the installation process. It is also known that the miner does not use any files during the startup process, executing malicious code directly in memory. Because of this, he leaves very few traces to record his presence. To avoid detection, Dexphot intercepts legitimate Windows processes, including unzip.exe, rundll32.exe, msiexec.exe, and others.
If a user tries to remove malware from a computer, monitoring services are triggered and re-infection is initiated. The report notes that Dexphot is installed on computers that have already been infected. As part of the current campaign, the malware enters systems infected with the ICLoader virus. Malicious modules are downloaded from several URLs, which are also used to update the malware and re-infect.
“Dexphot is not the type of attack that gets media attention. This is one of the many campaigns that have been around for a long time. Its purpose is widespread in cybercrime circles and is to install a cryptocurrency miner that secretly uses computer resources for the benefit of attackers, ”said Hazel Kim, a malware analyst at the Microsoft Defender ATP Research Group.
Source: 3dnews.ru